I’ve seen a few posts with questions regarding different scenarios for using a vpn with AWS. So, I figured I would write about 3 different scenarios that I come across and how I deal with them. My hope is that you guys will add some information on how you guys deal with them as well.
- Basic connection back to your office(s) – So this scenario is when you are connecting to networks that you control. In other words, you know there are no overlapping CIDR blocks. This is a perfect use case for the traditional AWS VPN service. I’ve found that once you are able to configure your local router, it’s a pretty bullet proof solution. I would recommend making sure that you have both tunnels configured. I’ve had AWS take them down periodically for maintenance on me before.
- DEV access to private subnet – So I’m sure that there will be plenty of people chime in on this. Sometimes when we have developers that need access to odd backend ports I will install a OpenVPN solution. I will use the marketplace AMI and put it in the public subnet. You will need to make sure that you are allowing traffic into the private subnets with your OpenVPN setup. You will also need to allow traffic inbound on your NAT instance from your local subnet. This is a pretty popular solution with developers as it allows them carte blanche access and still keeps the stack secure. The OpenVPN documentation is pretty complete as well.
- Site to Site VPN to outside parties – So I have a couple of customers that need secure connections to third parties. Also, this could apply to you if you have existing offices that may have overlapping CIDR blocks. In this scenario I use a Public / Private Subnet configuration in a VPC. Instead of using a AWS NAT AMI I will use the marketplace AMI from pfSense. There are some other solutions out there, openswan, vyatta, etc. I like pfSense because its pretty easy to use out of the box, and there is quite a bit of documentation out there for it. This setup mirrors a regular corporate network. Also, most importantly it allows you to use NAT-T, meaning I can assign a virtual ip address to my ipsec interface. I’ve had very good luck connecting this to multiple overlapping networks.
Those are the main scenarios that I have run across and my typical answer to them. Please let me know what feedback you have